This document provides an overview of chapter 1 of the CNIT 125 course on information security and CISSP preparation. It covers key security terms like confidentiality, integrity, and availability that make up the CIA triad. It also discusses security governance principles such as strategic planning, change management, data classification, and defining security roles and responsibilities. Finally, it introduces several common security control frameworks and standards like ISO 27000, NIST 800 series, and COSO that are used to implement controls and ensure compliance.

1. CNIT 125:
Information Security
Professional
(CISSP
Preparation)
Ch 1. Security and Risk
Management (Part 1)

2. Topics
• Security Terms
• Security Governance Principles
• Compliance
• Legal and Regulatory Issues
• Professional Ethics
• Security Documentation
• Business Continuity

3. Topics
• Personnel Security Policies and Procedures
• Risk Management Concepts
• Geographical Threats
• Threat Modeling
• Security Risks in the Supply Chain

4. 4
Security Terms

5. The CIA Triad

6. The CIA Triad

7. Confidentiality
• Keeps data secret
• Prevents unauthorized read access
• An attack: theft of Personally Identifiable
Information (PII) such as credit card
information
• Health Insurance Portability and
Accountability Act (HIPAA)
• Requires medical providers to keep
patient information private

8. Confidentiality
• Data should only be available to users who
have
• Clearance
• Formal access approval
• Need to know

9. Integrity
• Assures that data has not been modified,
tampered with, or corrupted
• Three perspectives
• Prevent unauthorized subjects from making
modifications
• Prevent authorized subjects from making
unauthorized modifications, such as mistakes
• Maintaining consistency of objects so data is
correct and maintains its proper relationships
with child, peer, or parent objects

10. Integrity Controls and
Countermeasures
• Access controls
• Authentication
• Intrusion Detection Systems
• Activity logging
• Maintaining and validating object integrity
• Encryption
• Hashing

11. Integrity Attacks
• Viruses
• Logic bombs
• Unauthorized access
• Errors in coding
• Malicious modification
• System back doors

12. Availability
• Data and services are available when
needed by authorized subjects
– Remove SPOF (Single Point of Failure)
– Prevent Denial of Service attacks

13. Threats to Availability
• Device failure
• Software errors
• Environmental issues (heat, static,
flooding, power loss, etc.)
• Denial of Service attacks
• Human errors (deleting important files,
under allocating resources,
mislabeling objects)

14. Availability Controls
• Intermediary delivery systems design
(routers, proxies, etc.)
• Access controls
• Monitoring performance and traffic
• Redundant systems
• Backups
• Business Continuity Planning
• Fault-tolerant systems

15. Balancing CIA
• You can never have perfect security
• Increasing one item lowers others
• Increasing confidentiality generally lowers
availability
– Example: long ,complex passwords that are easily
forgotten

16. Auditing and Accounting
• Auditing
• Measurable technical assessment of a
system or application
• Accounting
• Logging access and use of information
resources

17. Five Elements
• Identification claiming to be someone
• Authentication proving that you are that
person
• Authorization allows you to access
resources
• Auditing records a log of what you do
• Accounting reviews log files and holds
subjects accountable for their actions

18. AAA Services
• Authentication
• Authorization
• Accounting

19. 19
• Link Ch 2a
Example of Accounting

20. 2a-1

21. Non-Repudiation
• Prevents entities from denying that they took
an action
• Examples: signing a home loan, making a
credit card purchase
• Techniques
– Digital signatures
– Audit logs

22. Least Privilege and Need to Know
• Least privilege
• Users have the minimum authorization to
do their jobs
• Need to know
• More granular than least privilege
• Users must have a need to access that
particular information before accessing it

23. 23
Example: Need to Know
• In the 1990's US
intelligence agencies did
not share information
with one another
• "Information Silos"
• Failed to predict the 9/11
attacks, arguably for this
reason
• Links Ch 2b, 2c

24. 24
Example: Need to Know
• The silos were
removed
• So Bradley
Manning (now
Chelsea), gave
750,000 classified
or sensitive
documents to
Wikileaks
• Links Ch 2d, 2e, 2f

25. Subjects and Objects
• Subject is an active entity
• Such as a person accessing data
• Or a computer program
• Object is a passive entity
• Such as paper records or data files

26. Subjects and Objects
• Internet Explorer
• A Subject when running in memory
• Accessing data
• iexplore.exe
• An object when not running
• A file sitting on a disk

27. Defense in Depth
• Multiple defenses in series
• If one fails, another may succeed
• Example:
• Palo Alto firewall protects whole LAN
• Windows firewall runs on each workstation

28. Due Care and Due Diligence
• Due Care
• Doing what a reasonable person would do
• The "prudent man" rule
• Informal
• Due Diligence
• Management of due care
• Follows a process
• A step beyond due care

29. Gross Negligence
• The opposite of due care
• If you suffer loss of PII
• Legal consequences will depend on
whether you can demonstrate due care or
not

30. Abstraction
• Group similar elements together
• Assign security controls, restrictions, or
permissions to the groups
• Such as Administrators, Sales, Help Desk,
Managers

31. Data Hiding
• Placing data in a logical storage
compartment that is not seen by the subject
• Ex:
• Keeping a database inaccessible to
unauthorized users
• Restricting a subject at a low classification
level from accessing data at a higher
classification level

32. Encryption
• Hiding the meaning of a communication
from unintended recipients

33. 2a-2

34. 34
Security Governance
Principles

35. Security Governance Principles
• The collection of practices
• Supporting, defining and directing
• The security efforts of an organization
• Goal is to maintain business processes while
striving towards growth and resiliency
• Some aspects are imposed on organizations
• Regulatory compliance
• Industry guidelines
• License requirements

36. Security Governance Principles
• Must be assessed and verified
• Security is not just an IT issue
• Affects every aspect of an organization

37. Alignment of Security Function
to Strategy, Goals, Mission, and Objectives
• Base security planning on a business case
• A documented argument to define a need
• Justifies the expense

38. CSO (Chief Security Officer)
• Security management is a responsibility of
upper management, not IT staff
• InfoSec team should be led by a CSO
• CSO reports directly to senior management
• CSO and InfoSec team are outside the
typical hierarchical structure

39. Strategic, Tactical, and Operational
Plans

40. Strategic, Tactical, and Operational
Plans
• Strategic Plan
• Long term (about five years)
• Goals and visions for the future
• Risk assessment
• Tactical Plan
• Useful for about a year
• Ex: projects, acquisitions, hiring, budget,
maintenance, support, system
development

41. Strategic, Tactical, and Operational
Plans
• Operational Plan
• Short term (month or quarter)
• Highly detailed
• Ex: resource allotments, budgetary
requirements, staffing assignments,
scheduling, step-by-step or
implementation procedures

42. Change Control/Management
• Planning, testing, logging, auditing, and
monitoring of activities related to security
controls and mechanisms
• Goal: ensure that a change does not reduce
or compromise security
• Must include rollback plan
• How to reverse a change to recover a
previous secured state

43. Change Control/Management
• Required fir ITSEC classifications of B2, B3,
and A1
• Information Technology Security
Evaluation and Criteria

44. Change Control Process
• Implement change in a monitored and orderly
manner
• Formalized testing process to very expected
results
• Rollback plan
• Users are informed of change before it occurs
• Effects of change are systematically analyzed
• Negative impact of change is minimized
• Changes are reviewed and approved by CAB
(Change Approval Board)

45. Data Classification
• Some data needs more security than others
• Criteria:
• Usefulness, timeliness, value, age, data
disclosure damage assessment, national
security implications
• Authorized access, restrictions,
maintenance, monitoring, and storage

46. To Implement a Classification Scheme
1. Identity custodian
2. Specify evaluation criteria
3. Classify and label each resource
4. Document exceptions
5. Select security controls
6. Specify declassification procedures
7. Create awareness program to instruct all
personnel

47. Classification Levels
• Government / Military
• Top Secret
• Secret
• Confidential
• Unclassified
• Business / Private Sector
• Confidential or Private
• Sensitive
• Public

48. Security Roles and Responsibilities
• Senior Manager
• Ultimately responsible for the security of an
organization
• Must sign off on all activities
• Security Professional
• Writes security policy and implements it
• Follows directives from senior management
• Data Owner
• Responsible for classifying information

49. Security Roles and Responsibilities
• Data Custodian
• Implements protections defined by security
policy
• Ex: Making and testing backups, managing
data storage based on classification
• User
• Anyone with access to the secured system
• Auditor
• Produces compliance and effectiveness
reports for the senior manager

50. 2a-3

51. 51
Security Control
Frameworks

52. 52

53. ISO/IEC 27000 Series
• International Organization for
Standardization (ISO)
• With the International Electrotechnical
Commission
• A lengthy list of standards for developing
and maintaining an Information Security
Management System (ISMS)

55. Zachman Framework
• Two-dimensional classification system
• Based on six communication questions
• What, Where, When, Why, Who, How
• Intersecting with perspectives
• Executive, Business Management,
Architect, Engineer, Technician, Enterprise
• Not security oriented
• Helps to relay information in language useful
to personnel

56. The Open Group Architecture
Framework (TOGAF)
• Another enterprise architecture framework
• Helps organizations design, plan,
implement, and govern
• An enterprise information architecture
• Four domains:
• Technology, Applications, Data, Business

57. Dept of Defense Architecture
Framework (DoDAF)
• Organizes a set of products under eight views
• All Viewpoint (AV)
• Capability Viewpoint (CV)
• Data and Information Viewpoint (DIV)
• Operation Viewpoint (OV)
• Project Viewpoint (PV)
• Services Viewpoint (SvcV)
• Standards Viewpoint (STDV)
• Systems Viewpoint (SV)

58. British Ministry of Defense Architecture
Framework (MODAF)
• Divides information into seven viewpoints
• Strategic Viewpoint (StV)
• Operational Viewpoint (OV)
• Service-Oriented Viewpoint (SOV)
• Systems Viewpoint (SC)
• Acquisition Viewpoint (AcV)
• Technical Viewpoint (TV)
• All Viewpoint (AV)

59. Sherwood Applied Business Security
Architecture (SABSA)

60. Control Objectives for Information and
Related Technology (COBIT)
• A set of IT best practices
• From ISACA (Information Systems Audit and
Control Association)
• Five key principles
1. Meeting stakeholder needs
2. Covering the enterprise end-to-end
3. Applying a single, integrated framework
4. Enabling a holistic approach
5. Separating governance from management

62. National Institute of Standards and Technology
(NIST) Special Publications (SP) 800 Series
• Describe US Federal Gov't computer
security policies, procedures, and guidelines

63. 63

64. 64

65. HITRUST CSF
• Privately held US company
• Works with healthcare, technology, and
information security leaders
• Establishes Common Security Framework
(CSF)
• To address requirements of multiple
regulations and standards
• Primarily used in healthcare industry

66. 66

67. CIS Critical Security Controls
• From Center for Internet Security
• The first 5 controls eliminate most vulns

68. 68

69. 69

70. Committee of Sponsoring
Organizations (COSO) of the
Treadway Commission Framework
• Five interrelated components:
• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring activities
• COBIT is the IT governance framework derived
from COSO, which is for corporate governance

71. Operationally Critical Threat, Asset
and Vulnerability Evaluation (OCTAVE)
• Developed at Carnegie Mellon
• An organization implements small teams
that work together to address security needs
• Most recent version is OCTAVE Allegro

73. Information Technology Infrastructure
Library (ITIL)
• Process management standard
• Developed by the Office of Management and Budget
• In OMB Circular A-130
• Five core publications
• ITIL Service Strategy
• ITIL Service Design
• ITIL Service Transition
• ITIL Service Operation
• ITIL continual Service Improvement

74. ITIL
• Has a security component
• Primarily concerned with managing service-
level agreements (SLAs)
• Between an IT organization or department
• And its customers
• Independent review of security controls
should be performed every three years

75. 75

76. Six Sigma
• Process improvement standard

77. 77

78. Capability Maturity Model
Integration (CMMI)
• Process improvement approach
• Three areas of interest
• Product and service development
• CMMI for development
• Service establishment and management
• CMMI for services
• Product service and acquisition
• CMMI for acquisitions

79. CMMI Maturity Levels
• Level 1 Initial
• Level 2 Managed
• Level 3 Defined
• Level 4 Quantitatively Managed
• Level 5 Optimizing

80. CCTA Risk Analysis and Management
Method (CRAMM)
• Risk analysis and management tool
• Developed by the UK Gov't's Central
Computer and Telecommunications Agency
(CCTA)
• CRAMM review has three steps

82. Top-Down Approach
• Upper management initiates and defines
security policy
• Recommended
• Bottom-Up Approach
• IT staff makes security decisions without
input from senior management
• Rarely used and problematic
• Security plans are useless without approval
from senior management

83. 1d

84. 84

85. 85

86. Compliance
• Alignment with standards, guidelines,
regulations, and/or legislation
• Usually industry-specific
• PCI-DSS (Payment Card Industry Data
Security Standard) for merchants who
accept credit card payments
• HIPAA (Health Insurance Portability and
Accountability Act) for healthcare

87. Governance, Risk Management, and
Compliance (GRC)

88. Contractual, Legal, Industry Standards,
and Regulatory Compliance
• Laws vary; work with legal team
• Privacy Requirements Compliance
• Regulates confidentiality of Personally
Identifiable Information (PII)
• The General Data Protection Regulation
(GDPR) is the new European standard

89. 89

90. 90
Legal and Regulatory Issues

91. Computer Crime
• Computer as target
• DoS, installing malware to send spam
• Computer as a tool
• Stealing secrets from a database
• Stealing credit card numbers
• Espionage
• Harassment
• Attribution
• Difficult to prove who did a crime

92. Major Legal Systems
• Civil Law
• Laws and statutes determine what is allowed
• Precedents and particular case rulings carry
less weight than under common law
• Common Law
• Used in the USA, Canada, the UK, and former
British colonies
• Significant emphasis on particular cases and
precedents as determinants of laws
• The major legal system in the CISSP exam

93. Religious and Customary Law
• Religious Law
• Mainly Sharia (Islamic religious law)
• Customary Law
• Customs or practices that are commonly
accepted and treated as law
• Closely related to Best Practices
• Less important

94. Criminal and Civil Law
• Criminal Law
• Victim is society itself
• Enforced by police
• Punishment is often prison time
• Proof must be beyond a reasonable doubt
• Civil Law (Tort Law)
• Injury resulting from failure to provide due care
• Victim is an individual
• Enforced by lawsuits
• Result is financial damages paid to victim
• Burden of proof: preponderance of the evidence
(more likely than not)

96. Administrative Law
• Also called Regulatory Law
• Specify rules and punishments for regulated
industries
• Examples
• FCC regulations
• HIPAA security mandates
• FDS regulations
• FAA regulations

97. Liability
• Due Care
• Also called Duty of Care
• Prudent Man Rule
• Businesses should do what a prudent
man would do
• Best Practices
• Due Diligence
• The management of due care
• Follows a formal process

98. Intellectual Property
• Trademark
• Name, logo, or symbol used for marketing
• Unregistered ™ or Registered ®
• Patent
• Grants a monopoly for an invention
• Copyright ©
• Restricts copying creative work
• Software typically covered by copyright
• Fair sale & fair use are allowed

99. Intellectual Property
• Licenses
• End-User License Agreement (EULA)
• Trade secrets
• Special sauce
• Protected by non-disclosure agreements
(NDAs) & non-compete agreements
(NCAs)

100. Intellectual Property Attacks
• Software piracy
• Copyright infringement
• Corporate espionage
• Cybersquatting & Typosquatting
• Using a domain close to a company's
domain, like yahoo.net or yahooo.com

101. Digital Rights Management (DRM)
• Controls use of digital content
• Digital Millennium Copyright Act (DMCA) of
1998
• Imposes penalties on those who make
available technologies to circumvent copy
protection

102. Import / Export Restrictions
• USA restricted exports of cryptographic
technology in the 1990s
• Restrictions have been relaxed since then
• But cryptography is still regulated
• https://www.bis.doc.gov/index.php/
documents/regulation-docs/2255-
supplement-no-1-to-part-740-country-
groups-1/file

103. 103

104. Example Countries
• Group B (Relaxed)
• Canada, Israel, Japan, Jordan, Saudi
Arabia, Singapore
• Group D-1 (Stricter)
• China, Iraq, N Korea, Russia

105. Cyber Crimes and Data Breaches
• Data Breach
• Confidential information is exposed to
unauthorized parties
• Cyber Crime
• Any criminal act carried out with computers
or the Internet
• Going Dark
• Inability of law enforcement to access
evidence

106. Privacy
• Confidentiality of personal information
• EU Data Protection Directive
• Individuals must be notified how their data
is used & allowed to opt out
• OECD Privacy Guidelines
• Organization for Economic Cooperation
and Development
• Includes EU, USA, Mexico, AU & more

107. EU-US Safe Harbor
• Part of EU Data Protection Directive
• Sending personal data from EU to other
countries is forbidden
• Unless the receiving country adequately
protects its data
• The USA lost this privilege in Oct. 2015
because of the Snowden leaks

108. Privacy Shield
• Replaced Safe Harbor
• Approved by the EU in 2016 and
Switzerland in 2017

109. International Cooperation
• Council of Europe Convention on
Cybercrime
• Includes most EU countries and the USA
• Promotes cooperation

110. Important Laws and Regulations

111. HIPAA
• Health Insurance Portability and
Accountability Act
• Guidance on Administrative, Physical, and
Technical safeguards
• For Protected Health Information (PHI)

112. CFAA
• Computer Fraud and Abuse Act
• Protects government and financial
computers
• Including every computer on the Internet
(probably not the law's original intent)
• It's a crime to exceed your authorization to
use such a computer

113. ECPA & The PATRIOT Act
• Electronic Communications Privacy Act
• Protected electronic communications from
warrantless wiretapping
• Weakened by the PATRIOT Act
• The PATRIOT Act
• A response to 9/11 attacks
• Greatly expanded law enforcement's
electronic monitoring capabilities

114. GLBA & SOX
• Gramm-Leach-Bailey Act
• Forces financial institutions to protect
customer financial information
• Sarbanes-Oxley Act
• Response to ENRON scandal
• Regulatory compliance mandates for
publicly traded companies
• Ensures financial disclosure and auditor
independence

115. PCI-DSS
• Payment Card Industry Data Security
Standard
• Self-regulation by major vendors
• Mandates security policy, devices, controls,
and monitoring to protect cardholder data

116. US Breach Notification Laws
• 47 states require notification
• No federal law yet
• Safe harbor for data that was encrypted at
time of compromise

117. 117
Professional Ethics

118. (ISC)^2 Code of Ethics
• Four Canons
• Protect society, the commonwealth, and
the infrastructure
• Act honorably, honestly, justly, responsibly,
and legally
• Provide diligent and competent service to
principals
• Advance and protect the profession

119. Ethics Complaint

120. Accusation

121. Verdict

122. 1e

123. 123
Security Documentation

124. x

125. Security Structure Components
• Policies
• Processes
• Procedures
• Standards
• Guidelines
• Baselines

126. Security Policies
• Overview or generalization of security needs
• A strategic plan for implementing security
• Assigns responsibilities
• Specifies audit and compliance
requirements
• Outlines enforcement processes
• Defines acceptable risk levels
• Used as proof that senior management has
exercised due care
• Must contain an exception area

127. 127

128. Types of Security Policies
• Organizational
• Issues relevant to every aspect of an
organization
• Issue-specific
• Such as a specific network service
• Like email, privacy, employee termination
• System-specific
• Such as a firewall policy

129. Categories of Security Policies
• Regulatory
• Compliance with industry or legal
standards
• Advisory
• Discusses acceptable activities and
consequences of violations
• Most policies are advisory
• Informative
• Provides background information

130. Processes
• Series of steps or actions to achieve a
particular end
• Examples
• Process to enter an online order
• Process to process a payment
• Processes then lead to procedures

131. Security Procedures
• Detailed step-by-step instructions
• System- and software-specific
• Must be updated as hardware and software
evolve

132. Standards
• Compulsory requirements for homogenous
use of software, technology, and security
controls
• Course of action to implement technology
and procedures uniformly thought an
organization
• Tactical documents

133. Guidelines
• Recommendation on how to meet standards
and baselines
• Flexible; can be customized
• Not compulsory

134. Baselines
• Reference point
• Defined and captured for future reference
• Should be captured when the system is
properly configured and fully updated

135. 135
2a-4

136. Business Continuity

137. Business Continuity Planning (BCP)
• Ensures that business will continue to
operate before, throughout, and during a
disaster
• Ensures that critical services can be carried
out
• Strategic, long-term: focuses on business
as a whole
• An umbrella plan that includes multiple
plans, most importantly the Disaster
Recovery Plan (DRP)

138. Disaster Recovery Planning (DRP)
• Tactical, short-term
• Plan to deal with specific disruptions,
such as a malware infection

139. Business Impact Analysis (BIA)
• Determine Maximum Tolerable Downtime
(MTD) for specific IT assets
• First, identify critical assets
• Second, comprehensive risk analysis
• Including vulnerability analysis

140. 140

141. Personnel Security Policies and
Procedures
• Candidate Screening
• Employment Agreements and Policies
• Non-Disclosure Agreement (NDA)
• Acceptable Use Policy (AUP)
• Code of Conduct
• Conflict of Interest
• Ethics

142. Employee Onboarding and Offboarding
• Onboarding
• Orientation and provisioning
• Offboarding (Termination)
• Knowledge transfer
• Exit interview

143. Job Rotation and Separation of Duties
• Job Rotation
• Moves personnel from one job to another
periodically
• Prevents one person from being irreplaceable
• Helps to detect fraud
• Separation of Duties requires two or more
people to work on portions of a task
• Prevents fraud without collusion

144. 144
Risk Management Concepts

145. 145

146. 146
Risk Analysis

147. Risk Analysis
• Assets
• Valuable resources to protect
• Threat
• A potentially harmful occurrence
• Vulnerability
• A weakness

148. Risk = Threat x Vulnerability
• Earthquake risk is the same in Boston and
San Francisco
• Boston
• Earthquakes are rare, but buildings are old
and vulnerable
• San Francisco
• Earthquakes are common, but buildings
are newer and safer

149. Impact
• Severity of the damage in dollars
• Risk = Threat x Vulnerability x Impact
• Human life is considered near-infinite impact

152. Total Cost of Ownership (TCO)
• Of a mitigating safeguard includes
• Upfront costs
• Annual cost of maintenance
• Staff hours
• Maintenance fees
• Software subscriptions

153. Return on Investment (ROI)
• Amount of money saved by implementing a
safeguard
• If Total Cost of Ownership is less than
Annualized Loss Expectancy, you have a
positive ROI

154. Risk Choices
• Accept the risk
• Mitigate the risk
• Transfer the risk
• Risk avoidance

155. Quantitative and Qualitative Risk
Analysis
• Quantitative
• Uses hard metrics, like dollars
• Qualitative
• Use simple approximate values
• Or categories like High, Medium, Low

156. 156

157. 157
Access Control Defensive
Categories and Types

158. Access Control Types
• Preventive
• Detective
• Corrective
• Recovery
• Deterrent
• Compensating

159. Access Control Types
• Preventive
• Prevents actions, such as limited
privileges
• Detective
• Alerts during or after an attack, like video
surveillance
• Corrective
• Corrects a damaged system or process,
like antivirus removing a suspicious file

160. Access Control Types
• Recovery
• Restores functionality after a security incident, such
as restoring from backups
• Deterrent
• Scares away attackers, like a "Beware of Dog" sign
• Compensating
• Additional control to compensate for weakness in
other controls
• e. g. reviewing server logs to detect violations of the
Computer Use Policy (an administrative control)

161. Access Control Categories
• Administrative
• Policy, procedure, or regulation
• Technical
• Software, hardware, or firmware
• Physical
• Locks, security guards, etc.

162. 162
Threat Modeling

163. Threat Modeling
• Application-centric
• Asset-centric
• Attacker-centric

164. Microsoft STRIDE Threat Categorization
• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege
• Other modeling tools: PASTA, Trike, VAST

165. 165

166. Risks in the Supply Chain
• Hardware, Software, Services
• Third-Party Assessment and Monitoring
• Service Level Agreements

167. 2b Part 3